The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.)
To block evasive applications effectively, there are two primary methods using Palo Alto Networks NGFW capabilities. First, creating a deny rule at the top of the policy from trust to untrust with 'service application-default' and adding an application filter with the evasive characteristic ensures that any applications identified as evasive by their characteristics are blocked without relying on specific application identifications. Second, creating a deny rule at the top of the policy from trust to untrust over any service and adding an application filter with the evasive characteristic also ensures that all evasive applications are blocked regardless of the service being used. Both methods focus on leveraging the evasive characteristics to enforce the policy.
It's a bit tricky, but the answer becomes clear when you start eliminating the obvious. For example, there's no application called 'evasive' mentioned in options B and C. Therefore, the correct answer is A and D.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-applications/applications-overview
Column Characteristics on the pic: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-applications/applications-overview
Seems correct